Implementing data management application programming interface access rights in a parallel file system

ABSTRACT

In a cluster of computing nodes having shared access to one or more volumes of data storage using a parallel file system, a method for managing the data storage includes initiating a data management application in the cluster using a data management application programming interface (DMAPI) of the parallel file system. When a request submitted to the parallel file system is received on one of the nodes to perform an operation on a file in one of the volumes of data storage, a data management access right is obtained from the DMAPI responsive to the request The operation is performed on the file using the access right.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication No. 60/214,127, filed Jun. 26, 2000. It is related to fourother U.S. patent applications, filed on even date, entitled “DataManagement Application Programming Interface Session Management for aParallel File System”; “Data Management Application ProgrammingInterface for a Parallel File System”; “Data Management ApplicationProgramming Interface Handling Mount on Multiple Nodes in a ParallelFile System”; and “Data Management Application Programming InterfaceFailure Recovery in a Parallel File System.” All of these relatedapplications are assigned to the assignee of the present patentapplication and are incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to computer file systems, andspecifically to implementation of data management applications inparallel file systems.

BACKGROUND OF THE INVENTION

A wide variety of data management (DM) applications have been developedto supplement the basic file storage and retrieval functions offered bymost operating system (OS) kernels. Typical DM applications includehierarchical storage management (also known as data migration) ,unattended data backup and recovery, on-line encryption and compression,and directory browsers. These applications, which extend the basic OSkernel functions, are characterized by the need for monitoring andcontrolling the use of files in ways that ordinary user applications donot require.

In response to this need, the Data Management Interfaces Group (DMIG)was formed by a consortium of UNIX® software vendors to develop astandard Data Management Application Programming Interface (DMAPI).DMAPI provides a consistent, platform-independent interface for DMapplications, allowing DM applications to be developed in much the sameway as ordinary user applications. By defining a set of standardinterface functions to be offered by different OS vendors, DMAPI givesDM software developers the tools they need for monitoring andcontrolling file use, without requiring them to modify the OS kernel.DMAPI is described in detail in a specification document published bythe Open Group (www.opengroup.org), entitled “Systems Management: DataStorage Management (XDSM) API” (Open Group Technical Standard, 1997),which is incorporated herein by reference. This document is available atwww.opengroup.org.

As noted in the XDSM specification, one of the basic foundations ofDMAPI is “events.” In the event paradigm, the OS informs a DMapplication running in user space whenever a particular, specified eventoccurs, such as a user application request to read a certain area of afile. The event may be defined (using DMAPI) as “synchronous,” in whichcase the OS will notify the DM application of the event and will waitfor its response before proceeding, or as “asynchronous,” in which caseOS processing continues after notifying the DM application of the event.The area of a file with respect to which certain events are defined isknown as a “managed region.”

Another fundamental concept in DMAPI is a “token,” which is a referenceto a state that is associated with a synchronous event message. Thestate typically includes lists of files affected by the event and DMaccess rights in force for those files. The token may be passed fromthread to thread of the DM application and provides a convenient meansfor referencing the state. Access rights may either be shared with otherprocesses (in which case they are read-only rights), or they may beexclusive (read-write) rights.

Communications between DM applications and the OS are session-based. TheDM application creates the session by an appropriate DMAPI function call(dm_create_sessions( )). The application then registers eventdispositions for the session, indicating which event types in aspecified file system should be delivered to the session. Multiplesessions may exist simultaneously, and events in a given file system maybe delivered to any of these sessions.

The DMAPI standard, having grown out of the needs of UNIX systemvendors, is based on the notion of a single system environment, using asingle computing node. DMAPI implementations have also been developedfor distributed file systems, which allow a user on a client computerconnected to a network to access and modify data stored in files on afile server. When a user accesses data on the file server, a copy of thedata is stored, or cached, on the client computer, and the user can thenread and modify the copy. When the user is finished, the modified dataare written back to the file server. Examples of distributed filesystems include Sun Microsystems' Network File System (NFS™), NovellNetware™, Microsoft's Distributed File System, and IBM/Transarc's DFS™.Transarc Corporation (Pittsburgh, Pa.) has developed a DMAPIimplementation for its DFS called DMEpi. All of these distributed filesystems, however, are still essentially single-node systems, in which aparticular server controls any given file. The DMAPI and data managementapplications for such distributed file systems are essentially serverfunctions and are not distributed among the client nodes.

IBM's General Parallel File System (GPFS) is a UNIX-style file systemdesigned for IBM RS/6000 multiprocessor computing platforms, such as theSP™ and HACMP™ systems. GPFS, which runs in the AIX® operating system,allows applications on multiple nodes to share file data, withoutmediation of a file server as in distributed file systems. GPFS isdescribed, for example, in a publication entitled “General Parallel FileSystem for AIX: Concepts, Planning and Installation,” which is availableat www.rs6000.ibm.com/resource/aix_resource/sp_books/gpfs. GPFS supportsvery large file systems and stripes data across multiple disks forhigher performance. GPFS is based on a shared disk model that provideslow-overhead access to disks not directly attached to the applicationnodes and uses a distributed locking protocol to provide full datacoherence for access from any node. These capabilities are availablewhile allowing high-speed access to the same data from all nodes of thesystem. GPFS has failure recovery capabilities, allowing applications tocontinue running even when node or network component failures occur.

A series of patents to Schmuck et al. describe aspects of a sharedparallel disk file system that are implemented in GPFS. These patentsinclude U.S. Pat. Nos. 5,893,086; 5,940,838; 5,963,963; 5,987,477;5,999,976; 6,021,508; 6,023,706; and 6,032,216, all of whose disclosuresare incorporated herein by reference.

SUMMARY OF THE INVENTION

Preferred embodiments of the present invention provide a DMAPI that issuitable for use in a multi-node, parallel computing environment, andspecifically for use with parallel file systems. Implementing DMAPI in aparallel file system, such as the above-mentioned GPFS, requiresenhancements to the functions defined in the XDSM standard andalterations in certain basic definitions and assumptions that underlieDMAPI implementations known in the art. The basic semantics andfunctionality of the standard DMAPI model, however, are preferablypreserved in the parallel system. DM application programmers are thusenabled to integrate data migration and other DM applications with theparallel file system in an immediate and straightforward manner.

In preferred embodiments of the present invention, computing nodes in acluster are mutually linked by a suitable interconnection to a set ofone or more block storage devices, typically disks. A parallel filesystem is configured so that all nodes in the cluster can mount the sameset of file system instances. File data and metadata, on multiplelogical volumes, may reside at different nodes. All of the volumes areaccessible from all of the nodes via a shared disk mechanism, wherebythe file data can be accessed in parallel by multiple tasks running onmultiple nodes. The enhanced DMAPI provided for the parallel file systemis used to support DM functions, such as automatic data migration, overall of the nodes and storage volumes in the cluster.

DM applications may run on substantially any of the nodes in thecluster, as either single-node or multi-node parallel applications. TheDM application preferably starts by creating a session on one of thenodes and specifying the DM events that are to be reported to thesession. The node on which the session is created is designated as thesession node, and all specified events generated by file systemoperations are reported to the session node, regardless of the node atwhich the events are generated. Thus, an event may be generated by afile operation on one of the nodes, referred to herein as the sourcenode, and delivered to a session on a different node, i.e., the sessionnode. If the event is a synchronous event, requiring a response from theDM application before the file operation can continue, the source nodewill wait to carry out the requested file operation until the sessionnode has sent its response back to the source node. In contrast, inDMAPI implementations known in the art all events and sessions takeplace on a single node.

Certain DMAPI functions require either exclusive or shared DM accessrights. These rights are typically controlled using tokens. Preferably,all access rights for a given session are managed by the session node.To simplify event management, only the session node can call DMAPIfunctions that change the state of the session or event. Other nodes,however, can use DMAPI functions that do not change the session or eventstate. Thus, non-state-changing DM functions that are I/O-intensive,such as dm_read _invis( ) and dm_write_invis ( ), can run on multiplenodes simultaneously in order to take advantage of the parallelism inthe file system.

In some preferred embodiments of the present invention, a lockingmechanism is used in order to avoid conflicts in file access among DMapplications and between DM applications and file operations. Althoughparallel file systems known in the art typically use a hierarchy of filelocks, these existing locks are inadequate to deal with DM accessrights, which may be held across multiple kernel calls and shared amongdifferent DM application threads. Therefore, a DM lock is added to thehierarchy of locks in the parallel file system, and is most preferablyacquired first by file or DM operations, before acquiring the otherlocks in the hierarchy.

There is therefore provided, in accordance with a preferred embodimentof the present invention, in a cluster of computing nodes having sharedaccess to one or more volumes of data storage using a parallel filesystem, a method for managing the data storage, including:

initiating a data management application in the cluster using a datamanagement application programming interface (DMAPI) of the parallelfile system;

receiving a request submitted to the parallel file system on one of thenodes to perform an operation on a file in one of the volumes of datastorage;

obtaining a data management access right from the DMAPI responsive tothe request; and

performing the operation on the file using the access right.

Preferably, initiating the data management application includes creatinga session of the data management application on a session node selectedfrom among the nodes in the cluster, and obtaining the data managementaccess right includes obtaining the right at the session node. In apreferred embodiment, initiating the data management applicationincludes initiating a data migration application, so as to free storagespace on at least one of the volumes of data storage, and receiving therequest includes generating an event responsive to the request, andobtaining the right at the session node includes associating a DM tokenwith the right at the session node for use in invoking a DMAPI functionto be applied to the file and associating the token with the event, andperforming the operation includes migrating data at a plurality of thenodes simultaneously by presenting the token in connection with theDMAPI function.

Additionally or alternatively, receiving the request includes receivingan invocation of a file operation submitted to the parallel file systemby a user application on a source node, and sending a notification of aDM event to the session node responsive to the request, and obtainingthe right at the session node includes processing the event at thesession node subject to the access right.

In a preferred embodiment, obtaining the data management access rightincludes acquiring a data management lock on the file, so as to restrictother data management and file operations on the file while the lock isheld. In some cases, the operation is a data management operation, andacquiring the data management lock includes holding the lock over asequence of multiple kernel calls in the parallel file system. In othercases, the operation is a file operation, and acquiring the datamanagement lock includes holding the lock for a single kernel call inthe parallel file system. In a preferred embodiment, the file operationis one of a plurality of file operations to be performed on the file,and acquiring the data management lock includes allowing the pluralityof file operations to hold respective data management lockssimultaneously without mutual conflict. Preferably, acquiring the datamanagement lock may include either acquiring an exclusive lock oracquiring a shared lock.

Preferably, acquiring the data management lock includes selecting thelock from a table of locks provided for both file operations and datamanagement operations. In a preferred embodiment, performing theoperation comprises calling a DMAPI function to perform a datamanagement operation, and acquiring the data management lock comprisesacquiring, in a course of executing the DMAPI function, one of the locksprovided for the file operations for the duration of the DMAPI function,so as to enable calling the DMAPI function without presenting a DMtoken.

Further preferably, acquiring the data management lock comprisesproviding the data management lock within a hierarchy of locks supportedby the parallel file system.

There is also provided, in accordance with a preferred embodiment of thepresent invention, computing apparatus, including:

one or more volumes of data storage, arranged to store data; and

a plurality of computing nodes, linked to access the volumes of datastorage using a parallel file system, and arranged so as to enable adata management (DM) application to be initiated using a data managementapplication programming interface (DMAPI) of the parallel file system,such that when a request submitted to the parallel file system isreceived on one of the nodes to perform an operation on a file in one ofthe volumes of data storage, a data management access right is obtainedfrom the DMAPI responsive to the request, and the operation on the fileis performed using the access right.

There is additionally provided, in accordance with a preferredembodiment of the present invention, a computer software productproviding a data management application programming interface (DMAPI)for use in a cluster of computing nodes having shared access to one ormore volumes of data storage using a parallel file system, the productincluding a computer-readable medium in which program instructions arestored, which instructions, when read by the computing nodes, cause adata management application to be initiated using the DMAPI, such thatwhen a request submitted to the parallel file system is received on oneof the nodes to perform an operation on a file in one of the volumes ofdata storage, a data management access right is obtained from the DMAPIresponsive to the request, and the operation on the file is performedusing the access right.

The present invention will be more fully understood from the followingdetailed description of the preferred embodiments thereof, takentogether with the drawings in which:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram that schematically illustrates a cluster ofcomputing nodes with a parallel file system, in accordance with apreferred embodiment of the present invention;

FIG. 2 is a block diagram that schematically shows details of theparallel file system of FIG. 1, in accordance with a preferredembodiment of the present invention;

FIG. 3 is a flow chart that schematically illustrates a method forhandling a DMAPI event generated by a file operation in a parallel filesystem, in accordance with a preferred embodiment of the presentinvention;

FIG. 4 is a flow chart that schematically illustrates a method forunmounting an instance of a parallel file system, in accordance with apreferred embodiment of the present invention;

FIG. 5 is a flow chart that schematically illustrates a method forhandling a DMAPI function call in a parallel file system, in accordancewith a preferred embodiment of the present invention; and

FIG. 6 is a flow chart that schematically illustrates a method forhandling a DMAPI session failure in a parallel file system, inaccordance with a preferred embodiment of the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS Glossary

The following is a non-exhaustive list of technical terms that are usedin the present patent application and in the claims. The list isprovided here for the convenience of the reader. Certain of the items inthe list are specific to preferred embodiments of the present invention.These terms are described at greater length in the Detailed Descriptionfollowing the Glossary.

-   -   Cluster: A collection of computers interconnected by a        communication mechanism, typically a high-performance switch or        a network. The computers in the cluster collaborate with each        other in computations and share data resources.    -   Node: A computer that is part of a cluster. Each node in the        cluster has a cluster-wide unique identity.    -   File System: A hierarchical collection of files and file        directories that are stored on disk and have an identified root,        and are accessed using a predefined interface. Typically, such        interfaces follow the prescription of standards, such as Posix.        The term “file system” is also loosely used to describe the data        and metadata contained in the file system.    -   File System Instance: A file system that is mounted on a        computer. In a cluster, a given file system can have multiple        file system instances, each instance mounted on a different        node.    -   Physical File System (PFS): A software component that manages        collections of data on disks, typically using mechanisms and        interfaces prescribed by the X/Open and Posix standards. The PFS        is one of layers in the hierarchy of interfaces that are used to        support the file system and to enable software applications to        access the file data. Multiple different PFSs may coexist on a        computer, each used to implement a different type of file        system. The PFS usually runs in the kernel, with possible        extensions running as daemons in user space.    -   Parallel File System: A PFS running on a cluster of nodes, which        enables all nodes in the cluster to access the same file data        concurrently. Preferably, all nodes share in the management of        the file systems. Any of the nodes can perform any role required        to manage the file systems, with specific roles assigned to        particular nodes as needed. The term “parallel file system” is        also loosely used to describe a file system that is managed by a        PFS software component, as defined in this paragraph.    -   DMAPI: Data Management Application Programming Interface, as        specified in the above-mentioned XDSM standard. This term is        also used to denote the software sub-component implementing the        interface in the PFS.    -   Session Node: A node in a cluster on which one or more data        management (DM) sessions have been created. (The term “data        management” is used as defined in the XDSM standard.) The term        is also used to identify a specific node at which a specific        session exists.    -   Source Node: A node in a cluster that generates DM events. (The        term “events” is similarly used as defined in the XDSM        standard.) The term is also used to identify a specific node        that generated a specific event.    -   Session Manager (SM): A node in a cluster that is assigned the        role of coordinating the creation and maintenance of DM sessions        and DM event dispositions on the nodes in the cluster.        Typically, the sessions may be created on any of the nodes,        including the session manager node.    -   File System Manager (FSM): A node in a cluster that is assigned        the role of managing the metadata of a specific file system. The        node coordinates among all the instances of the file system that        are mounted on the different nodes in the cluster.    -   Persistent Data: Data used by a software component on a computer        or a cluster of nodes, which is not lost when the component        crashes. Persistent data can be recovered and restored when the        component recovers.    -   Single Node Failure: A failure that occurs on a single node in a        cluster. Services provided by other nodes in the cluster are        normally not affected by this failure. The term is specifically        used to describe the failure of the PFS software component. All        file systems managed by the failing PFS become inaccessible on        the failing node, but typically remain accessible on other nodes        in the cluster.    -   Total PFS Failure: Failure of the PFS software component on all        the nodes in a cluster. All file systems managed by the failing        PFS become inaccessible on all nodes in the cluster.    -   File System Failure: Failure of a file system instance on a        single node, possibly due to disconnection from disks or from        other nodes in a cluster. The failing file system instance        becomes inaccessible on the node where the failure occurred. The        term is also used to describe the failure of multiple (or all)        instances of the same file system on any node in the cluster.    -   Session Failure: Failure of the PFS on a session node, at which        one or more sessions exist for monitoring file systems managed        by the failing PFS. Such sessions can no longer be used, and are        hence called failed sessions. When the PFS recovers, the        sessions can be recreated. The term is also used to identify the        failure of a specific session on a specific node.

SYSTEM OVERVIEW

FIG. 1 is a block diagram that schematically illustrates a cluster 20 ofcomputing nodes 22, running a parallel file system, identified as aphysical file system (PFS) 28, in accordance with a preferred embodimentof the present invention. Nodes 22 are connected to one another and tomultiple disks 24 by a suitable communication mechanism, such as ahigh-capacity switch or network (not shown). The disks may thus beaccessed in parallel by any of the nodes. Preferably, cluster 20comprises an IBM SP or HACMP system, and PFS 28 comprises GPFS, runningon the AIX operating system, as described in the Background of theInvention. Alternatively, nodes 22 may be arranged in other clusterconfigurations, and PFS 28 may comprise other types of parallel filesystems and operating platforms. In this regard, it is noted by way ofexample that the IBM GPFS file system has been ported to otherplatforms, such as Linux.

All nodes 22 in cluster 20 can mount the same file systems. The filedata and metadata of the file systems are striped across multiplelogical volumes, each of which may reside on a different node 22. All ofthe volumes are accessible from all of the nodes via a shared diskmechanism, preferably the virtual shared disk (VSD) mechanism used byGPFS. File data can thus be accessed in parallel by multiple tasks onmultiple nodes. Parallel access is preferably protected by a byte rangelock, as described in the above-mentioned patents by Schmuck et al.

One of nodes 22, is selected to serve as cluster configuration manager(CM) 34. If the CM fails, another node takes its place. The CM performsvarious global coordination duties in cluster 20. These duties includeappointing one of the nodes to serve as file system manager (FSM) 36 foreach file system in the cluster. The FSM serves all of the nodes in thecluster that mount the given file system. It is responsible for metadatamanagement, which is used to maintain the file system instances on allof the nodes in a consistent state.

Nodes 22 are capable of running both user applications 30 and datamanagement (DM) applications 32. These applications may be eithersingle-node or parallel, multi-node applications, which take advantageof PFS 28 to access disks 24. A Data Management Application ProgrammingInterface (DMAPI) 26 is preferably integrated into physical file system(PFS) 28. DM applications 32 use DMAPI 26 to track and control fileoperations and to manage file data of file systems in cluster 20, asdescribed in detail hereinbelow. For this purpose, DMAPI 26 usesmechanisms and infrastructure provided by the PFS, includingcommunication, memory management, locking and synchronization. In asimilar vein, configuration manager 34 of PFS 28 also serves as asession manager (SM) for DMAPI 26.

PFS 28 with DMAPI 26 is typically supplied as a software package forinstallation on cluster 20, with or without a complete operating system,such as AIX. This software may be downloaded to the cluster inelectronic form, over a network, for example, or it may alternatively besupplied on tangible media, such as CD-ROM, for installation on thecluster nodes.

FIG. 2 is a block diagram that schematically shows further details ofthe software structure and operation of PFS 28, and particularly ofDMAPI 26, in accordance with a preferred embodiment of the presentinvention. The figure shows a session node 40, a source node 42 and asession manager (SM) node 44, all of which are nodes 22 (FIG. 1) incluster 20. DM application 32 is shown to be running on node 40, whileuser application 30 is running on node 42. Typically, both DMapplication 32 and user application 30 may be distributed applications,running on multiple nodes simultaneously, and possibly running togetheron the same node. For the sake of simplicity of illustration, however,and without loss of generality, only a single node of each type is shownin FIG. 2. Similarly, although SM 34 is shown as running on a separatesession manager node 44, it may alternatively run on any of the nodes incluster 20, including session node 40 and source node 42.

In an alternative embodiment of the present invention, not shown in thefigures, DM sessions are explicitly replicated on all nodes in thecluster. DM events generated at a source node are then delivered to asession at the source node itself. This embodiment requires that DMapplications be defined as multi-node, parallel applications, unlike DMapplications known in the art. Each event is handled by the DMapplication instance on the source node at which it originated, whileconsistency is maintained among the instances using methods known in theart of parallel applications.

SESSION AND EVENT HANDLING

Upon initiation of DM application 32, the application creates a DMAPIsession on session node 40. Dispositions 49 of enabled events 46 aremaintained on source node 42 and on SM node 44. A list of enabled eventscan be associated individually with a file and globally with an entirefile system. Conflicts between individual and global event lists arepreferably resolved in favor of the individual list. Preferably, eventlists are persistent and are kept with the file system in stablestorage. Dispositions are not persistent and must be set explicitly foreach file system after PFS 28 is started and sessions are created.

When user application 30 on source node 42 invokes a file operation thatgenerates an enabled event having a disposition in disposition list 49,DMAPI 26 sends the event to an event queue on session node 40. (Node 42is referred to as the source node, because it is the source of thegenerated event in the present example.) When the event is a synchronousevent, PFS 28 on the source node waits for the response of the DMapplication before allowing the file operation to proceed. The processof sending events and responses is described in greater detailhereinbelow with reference to FIG. 3.

In practice, multiple DM applications and multiple sessions may runsimultaneously in cluster 20. Each session can monitor multiple filesystems. At the same time, multiple DM application threads can accessthe same file in parallel. Moreover, a given file system may bemonitored by multiple sessions, created by the same DM application or bydifferent DM applications running concurrently, on the same node or ondifferent nodes. When there are multiple sessions monitoring a givenfile system, event dispositions are partitioned among the sessions byevent type, so that there is no ambiguity as to which session willhandle each type of event. On the other hand, multiple sessions can alsobe used to monitor different, respective file systems.

DM application 32 can set the disposition of events or change thedisposition of events in a given file system from one session toanother, as noted above, using the DMAPI dm_set_disp( ) function. Thiscall can come from any node at substantially any time. The nodeinitiating the change notifies SM 34, which accordingly updatesdispositions 49 in its own, centrally-maintained data structures. The SMsends the changes to the relevant FSM 36, which then sends theinformation to all nodes on which the file system is mounted. When a newFSM is appointed (at the first mount of a given file system, or afterfailure of the previous FSM), it obtains the event dispositions form SM34. When additional nodes mount the file system, they obtain thedispositions from the relevant FSM. This approach guarantees that theFSM and all nodes mounting the file system will always have the mostcurrent event dispositions, while maintaining efficiency ofcommunications by disseminating information only to the nodes for whichit is relevant.

SM 34 is responsible for coordinating among the session nodes, in orderto ensure that all session identifiers (IDs) are unique and that eventdisposition partitioning is consistent. All nodes 22 in cluster 20 knowthe identity of the session manager.

A new session is created by invoking the DMAPI functiondm_create_session( ) on the session node, which then sends a message toSM 34. The SM generates a session ID, adds the session to its list ofall sessions in the cluster, broadcasts the session details to all nodesin the cluster, and returns the session ID to the session node. Thesession becomes valid only after session node 40 and SM 44 complete allof these messages. Session IDs are preferably unique over time in thecluster, most preferably consisting of a time stamp and the node ID ofSM 34. The use of globally-unique session IDs, which are never reused,prevents naming consistency problems in the multinode environment.

A new session node assumes an existing session by invokingdm_create_session( ), specifying the existing session ID. DMAPI 26 sendsthe ID to SM 34, which updates the session details in its list. Anexisting session will be assumed in this manner only after a sessionnode failure, as described below. The session ID does not change when anexisting session is assumed. dm_create_session( ) can also be used tomodify the session information string of an existing session. This callcan be made only on the session node.

A session can register (or unregister) to receive an event when a filesystem is mounted on one of nodes 22 by calling the DMAPI functiondm_set_disp( ) on the session node. DMAPI 26 informs SM 34, and the SMkeeps track of the sessions that are registered for the mount event.When a node performs a mount operation, it obtains from the SM a list ofsessions that are registered for the mount event.

A session may be destroyed by invoking the DMAPI functiondm_destroy_session( ) on session node 40. In this case, the session nodesends a message to SM 34, which removes the session from its list andbroadcasts the change to all nodes.

For efficient event generation and recovery from PFS failure, thesession and event information is replicated on multiple nodes in cluster20. Preferably, as shown in FIG. 2, information regarding eachoutstanding event 46 is maintained on both session node 40 and on sourcenode 42. Session data 48 are maintained on session node 40 and onsession manager node 44. Preferably, every node in the cluster maintainspartial information on every session in the cluster, including sessionID, session node address, whether or not the session is registered forthe mount event, and a short prefix of the session information string.Dispositions 49 are maintained by SM 34 on node 44, and on all nodes onwhich the monitored file system is mounted, including source node 42.

SM 34 is responsible for disseminating changes in session details. Whenthe SM is notified of a change in the state of one of the sessions, itbroadcasts the change to all of the nodes in the cluster.

Replication of the session information and event dispositions onmultiple nodes allows DMAPI events to be generated efficiently, withoutrepeatedly communicating session and disposition information betweennodes. It also supports efficient recovery from single node failurewithout the necessity of using stable storage. Methods for handlingsession failures in system 20 are described hereinbelow with referenceto FIG. 6.

FIG. 3 is a flow chart that schematically illustrates a method forhandling a DMAPI event generated in cluster 20, in accordance with apreferred embodiment of the present invention. The method begins whenuser application 30 invokes a file operation on source node 42, at aninvocation step 50. It is assumed that this file operation generates anevent that appears in the list of enabled events 46 and dispositions 49,which are furnished by SM 44 to all nodes in system 20 that have mountedinstances of the file system in question. Typically, if the event isenabled, but there is no disposition listed, DMAPI 26 will return anerror message to the user application.

Event generation is preferably implemented in the virtual file system(VFS) interface layer of PFS 28. The definition of the VFS layer and itsinteraction with the PFS are well known in the art of UNIX-typeoperating systems, including the above-mentioned IBM AIX operatingsystem. The integration of DMAPI 26 with PFS 28 includes augmenting thefile operations in the PFS with code for event generation. In an eventgeneration step 52, this code causes the file operation client threadinvoked at step 50 to generate the prescribed event. If the event is anasynchronous event, PFS 28 on source node 42 sends an appropriate eventmessage to the session on session node 40, and the requested fileoperation is then immediately free to proceed on source node 42. In theexample shown in FIG. 3, however, the event is assumed to be asynchronous event, which causes the file operation thread to block andawait a response from the DM application before proceeding with PFSprocessing.

PFS 28 on source node 42 sends an event message to PFS 28 on sessionnode 40, in accordance with the specified event disposition, at an eventsending step 54. The event message header preferably carries a field,ev_nodeid, which is added to the dm_eventmsg structure defined in theabove-mentioned XDSM specification in order to identify source node 42(since events can be generated at any node in cluster 20). Inimplementations based on GPFS in the SP environment, the node identifieris preferably its System Data Repository (SDR) node number. The eventmessage is enqueued at session node 42.

DM application 32 on session node 40 receives and handles the event sentby PFS 28, at an event handling step 56. For this purpose, the DMapplication makes use of function calls provided by DMAPI 26, such asdm_get_events( ), as specified by the XDSM standard. These functioncalls are implemented as kernel calls from the user space of the DMapplication into PFS 28, based on linking the DM application with aninterface library of DMAPI function calls, as is known in the art. DMfunction calls enter the PFS kernel on the DM application thread. Theprocessing may involve additional PFS daemon threads, and may proceedboth in user and kernel space.

After DM application 32 has processed the event, it generates itsresponse to the event, at a response step 58, using the DMAPI functioncall dm_respond_event( ). Session node 40 sends the response back tosource node 42, at a response sending step 60. The PFS on node 42 passesthe event response to the file operation thread, at a response receptionstep 62. If the response indicates that the operation should be aborted,the file operation returns to user application 30 without further PFSprocessing; otherwise, the file operation continues its PFS processinguntil completion, at a continuation or aborting step 64.

MOUNTING AND UNMOUNTING FILE SYSTEM INSTANCES

PFS 28 generates a mount event each time a mount operation is performedon one of the nodes in cluster 20. Similarly, each unmount operation onany node generates preunmount and unmount events, assuming such eventsare enabled and have a disposition. DM application 32 should thereforebe capable of handling multiple mount, preunmount and unmount events,corresponding to multiple instances of the file system that are mountedon multiple nodes. By contrast, in single-node systems, as implied bythe XDSM standard, DM applications are not required to deal with morethan a single mount, preunmount or unmount event per file system. As aresult, in single-node systems, the preunmount and unmount events alwaysfollow the mount event in serial order.

In PFS 28, on the other hand, there is not a predictable serialrelationship between all of the mount, preunmount and unmount events ofeach file system. Without serialization of all mount and unmountoperations of the file system, there is no practical way to designatethe first or last mount or unmount. There need not even be a matchbetween the number of mount events and the number of preunmount orunmount events for a given file system, since an unmount that isinitiated internally by PFS 28 (due to forced unmount or PFS shutdown,for example) will not generate any events. Therefore, DMAPI 26 requiresmethods for handling mount, preunmount and unmount events that extendthose provided by the XDSM standard.

To provide additional information to DM application 32, two new flags,DM_LOCAL_MOUNT and DM_REMOTE_MOUNT, not defined in the XDSM standard,are preferably added to the mode fields in the message structures ofmount, preunmount and unmount events (the me_mode and ne_mode fields,respectively) . When DM_LOCAL_MOUNT is set, the mount or unmountoperation concerned is local to the session node. When DM_REMOTE_MOUNTis set, the operation is at a node that is remote from the session node.In this case, the ev_nodeid field mentioned above can be used by thesession node to identify the source node on which the mount or unmountoperation is to be performed. These flags are also used in thedm_mount_event data structure returned by the DMAPI functiondm_get_mountinfo( ). This function can be called from any node, even ifthe file system is not mounted on that node. At least one of the twoflags will be set in the data structure that is returned, as long as thefile system is mounted on one or more of the nodes in cluster 20.

DM application 32 can make good use of the enhanced node informationprovided by the dm_get_mountinfo( ) function for processing of mount andpreunmount events. For example, before the DM application responds to amount event received from a node that is not the session node, it caninvoke dm_get_mountinfo( ) to determine whether the relevant file systemis already mounted locally at the session node. If not, the DMapplication preferably performs a local mount.

Mount events are preferably enqueued in the session queue ahead of otherevents, in order to improve the response time of PFS 28 to mountoperations when the queue is busy.

FIG. 4 is a flow chart that schematically illustrates a method forperforming an unmount operation on source node 42, in accordance with apreferred embodiment of the present invention. This method is usedwhenever an unmount operation is invoked, at an unmount invocation step70. DMAPI 26 on source node 42 generates a preunmount event message andwaits for the response from the DM application, at an event generationstep 72. This message is received and processed by DMAPI 26 on sessionnode 40. DMAPI 26 on source node 42 receives the response from sessionnode 40, at a response receipt step 74.

DMAPI 26 checks whether the unmount operation is a forced unmount, at aforce checking step 76. In such a case, any outstanding access rightsfor the relevant file system on source node 42 are released, at acleanup step 78. DMAPI 26 then permits the unmount to proceed, at anunmounting step 80.

On the other hand, if the unmount is not a forced unmount, DMAPI 26checks whether it has received an “abort” response from session node 40,at an abort checking step 82. If so, the unmount operation is failed.Similarly, the unmount is failed if there are still DM access rights tothe file system on source node 42, at an access right checking step 84.In either of these cases, an error code is set for the unmount operationon node 42, at an error step 86. Only if there are no outstanding accessrights on node 42 can the unmount proceed normally at step 80.

Whether the unmount was performed successfully (step 80) or not (step86), DMAPI 26 generates an unmount event and waits for a response, at anunmount event generation step 88. After receiving the response, anyerror code that was set at step 86 is returned by the unmount operation,at an error return step 89.

DM ACCESS RIGHTS

DM applications acquire DM access rights to file objects and associatethem with event tokens. DM access rights are required in some of theDMAPI functions specified in the XDSM standard (which are implemented inthe multi-node environment by the present invention). In order to avoidoverhead that would be incurred by managing access rights distributivelyin the cluster setting, all of the access rights associated with a givenevent are preferably managed by the corresponding session node. Thus,all requests to acquire, change, query or release DM access rights mustbe invoked by the DM application on session node 40.

File operations must abide by DM access rights. In particular, fileoperations that conflict with DM access rights must be blocked while theaccess is held by the DM application. Conversely, the DM applicationmust be prevented from acquiring an access right while a conflictingfile operation is in progress. Preferably, these access rights areimplemented using the internal locking mechanisms of PFS 28, such as theGPFS locking mechanisms described in the above-mentioned patents bySchmuck et al.

DM access rights in cluster 20 are preferably treated as an additionalfile lock in the hierarchy of locks acquired during file access. Thisapproach enables acquiring and releasing access rights efficiently,using existing, highly-optimized locking mechanisms of the PFS. Thisadditional lock is referred to herein as the “DM lock.” The lockcharacteristics are affected by the type of access (shared or exclusive)and the type of thread acquiring the lock (file operation thread or datamanagement operation thread). Existing file locks (such as thosedescribed by Schmuck et al.) cannot be used for this purpose, since DMaccess rights are held across multiple kernel calls and can be sharedamong DM application threads without going through the kernel. Theexisting file locks are still required to synchronize access to filedata, even while a DM access right is held. Preferably, to preventdeadlocks, the DM lock is acquired before any other locks in the filelocking hierarchy.

Table I below is a lock conflict table that defines DM access rightssemantics in cluster 20. Four lock modes are used:

TABLE I DM ACCESS RIGHTS FSS FSX DMS DMX FSS X FSX X X DMS X X DMX X X XX

DMX and DMS modes are used only in DM operations. They provide exclusiveand shared access rights, respectively, for each individual DMoperation, as defined by the XDSM standard.

FSX and FSS modes are used in file operations, in order to prevent DMapplications from acquiring a DM access right while a conflicting fileoperation is in progress. FSX prevents acquisition of any DM accessrights. FSS prevents acquisition of exclusive DM access rights, but doesnot conflict with shared DM access rights. Typically, a file operationthat modifies the data in a file object or destroys the object willacquire a FSX lock, whereas a FSS lock will suffice for other fileoperations. There is no conflict between the FSX and FSS modes, becausefile operations never compete with one another for DM locks. Thisfeature is important in reducing the performance impact of theadditional DM lock in parallel file systems, since locking conflicts insuch systems are resolved by communication among multiple nodes.

In the GPFS parallel file system, as described by Schmuck et al., filelocking is implemented using a token manager, which grants lock tokensto nodes upon request and revokes them when other nodes make conflictingrequests. For the DM lock, after the token manager grants a FSX or FSStoken to a node, there will be no need to revoke the token until a DMapplication requests a DM lock on the file. For files being usedactively by a user application, interference by typical DM applicationsis generally expected to be minimal. The added overhead in normal fileoperations that is associated with DM lock acquisitions and revocationsshould therefore be small.

While a file operation holds its DM lock only for the duration of theoperation (a single kernel call), a DM application can hold its DM lockacross many DMAPI function calls (multiple kernel calls). Thiscontinuous holding of the DM lock is achieved by associating the accessright in question with an event token, which can be presented insubsequent DMAPI calls.

DMAPI functions can be invoked without presenting a DM token(DM_NO_TOKEN), in which case DM access rights are acquired only for theduration of the given DMAPI function. For this purpose, a FSS or FSXlock is sufficient, instead of the more restrictive DMS or DSM lock. Thetokenless DMAPI call thus uses the same type of DM locking as do regularfile operations.

INVOKING DMAPI FUNCTIONS IN A CLUSTER

In preferred embodiments of the present invention, in the multi-nodeenvironment of cluster 20, DMAPI functions can be called from any of thenodes in the cluster. Functions that do not change the state of asession or event can be invoked freely at any node, in order to enableDM applications to exploit the inherent parallelism of the PFS.dm_punch_hole( ) and dm_read_invis( ) are examples of suchnon-state-changing DMAPI functions. On the other hand, DMAPI functionsthat change the state of a session or event must be invoked on thesession node.

FIG. 5 is a flow chart that schematically illustrates a method forprocessing a DMAPI function call that provides as parameters a sessionID and event token, in accordance with a preferred embodiment of thepresent invention. This method is invoked when DMAPI 26 receives afunction call from DM application 32 on node 22, at a function callingstep 90. DMAPI 26 ascertains whether node 22 is the session node (suchas node 40) for the session, at a session node determination step 92. Ifso, the required function is carried out by PFS 28, in a functionperforming step 100.

If the node invoking the function call is not the session node for thissession, DMAPI 26 determines whether this function changes the state ofthe DM event or session (as specified by the XDSM standard), at a statechange determination step 96. If so, the requested function is failed,and DMAPI 26 returns an error to DM application 32, at a failure step98.

On the other hand, if this is not the session node, and the DMAPIfunction does not change the current event or session state, the callproceeds in step 100 as long as the session exists on some node, and therequired event token is presented. Optionally, the DM application on therequesting node caches a copy of the token.

DMAPI FAILURE AND RECOVERY MECHANISMS

The failure model defined in the XDSM standard is geared to asingle-node system, in which two types of DMAPI-related failures mayoccur: DM application failure or total PFS failure. When only the DMapplication fails, DMAPI resources, such as sessions and events, remainintact. As a result, file systems may become unstable, since there maybe pending events and blocked user threads, waiting for response by theDM application. To deal with this situation, the DM application mustrestart and pick up any existing session where it left off. For thispurpose, the XDSM standard provides DMAPI functions that enable therestarted DM application to query the session queue and handle anypending events.

Recovery from total PFS failure is a matter for the PFS to handle and isbeyond the scope of the XDSM standard. When the PFS fails, allnon-persistent DMAPI resources are lost. The PFS is expected to clean upits own state when it is restarted. The DM application can then restartas well. Since sessions are not persistent, there is no need in thiscase for session recovery.

These two models do not describe all of the possible types of failurethat may occur in a multi-node parallel file system, as is used inpreferred embodiments of the present invention. The multi-node systemshould also be capable of dealing with single-node failures, in which afile system instance or the PFS may fail on one or more of the nodes,while continuing to work run on the others. In such a case, DMAPI 26should also continue to operate and enable file access on the survivingnodes, while the PFS recovers on the failed nodes. A distributed DMapplication may likewise continue running on some nodes, while othernodes (possibly including the session node for the DM application) havefailed and are in the process of recovery.

Single-node failure may occur in the multi-node system either when aspecific file system becomes inaccessible on the node or when the entirePFS fails on the node. In the latter case, all file system instancesthat are managed by the PFS become inaccessible on that node. Handlingof and recovery from a single node failure depend on whether the failednode is a source node or a session node. When source node 42 fails (FIG.2), events generated by that node become obsolete. If such events werealready enqueued at session node 40, DM application 32 will continue toprocess the events. The processing may be unnecessary, since there is nolonger any file operation waiting for the response, but is harmlessaside from the attendant loss in efficiency.

Session node failures are more difficult to handle. When a session nodefails, all DMAPI resources, including all sessions, are lost on thefailing node, although not on other, surviving nodes. File operations onthe surviving nodes may still be blocked, however, waiting for responsefrom an event previously sent to a failed session. It is thereforeimportant to recover the session, possibly on another node, and toresume handling of pending events, so that file operations on thesurviving nodes will be able to continue without failure.

FIG. 6 is a flow chart that schematically illustrates a method fordealing with session failure on node 40, in accordance with a preferredembodiment of the present invention. This type of failure scenario isnot addressed by the XDSM standard. The present method is needed toensure that events generated at any of the nodes in cluster 20 can behandled in the proper manner, so that user threads that generated thoseevents can accordingly be unblocked.

Session failure is detected at a session failure step 110, preferably bya “heartbeat” or group service that checks connectivity in cluster 20,as is known in the art. Session manager (SM) 34 plays an important roleduring session recovery. When session node 40 fails, SM 34 is notified,at a notification step 112. The SM marks the session as failed, butkeeps all of the session details.

Recovery following the session failure is triggered by DM application32, at a triggering step 114. There are two ways of triggering sessionrecovery, depending on whether the DM application itself has alsofailed, or only the PFS has failed:

-   -   Explicit recovery—If the DM application failed at the same time        as the session (due to node crash, for example), it must be        restarted, possibly on another node. The restarted DM        application explicitly assumes the old session, using the DMAPI        function dm_create_session( ) and specifying the session ID.        Assumption of the failed session triggers reconstruction of the        session queue and the events on it on the new session node, as        described below. The DM application can then continue handling        events. If the DM application survives, it may notice that the        session has failed, on account of the error codes that it        receives in response to DMAPI function calls. In this case, the        application may wait for the PFS to recover on the failed node,        or it may alternatively move to another node and assume the        failed session, as described above.    -   Implicit recovery—Since the DM application executes as a        separate process, independent of the PFS, it is possible that        the PFS will recover before the DM application has even noticed        the failure. In this case, session queue reconstruction is        triggered implicitly when the DM application invokes any DMAPI        function for the session at the session node. Explicit session        assumption is unnecessary in this situation.

Calling dm_create_session( ) and supplying the session ID (explicitrecovery) or calling any DMAPI function for the session (implicitrecovery) causes DMAPI 26 on the new session node to contact SM 34, at acontact step 116. The SM records the new session node and sessioninformation string, if any, and changes the session state from failed tovalid. It broadcasts the updated session details to all nodes, at abroadcast step 118.

While recovering the session, it is necessary to reconstruct the sessionqueue at the new session node. Preferably, in order to reconstruct thesession queue, session node 40 broadcasts a request to all of the nodesin cluster 20, at a request step 119. Upon receiving this request, thesurviving nodes resubmit any pending synchronous events they may have tothe new session node, at a resubmission step 120. This step causes theevent tokens to be regenerated with the same IDs as they had before thefailure. Certain events may not be recoverable by DMAPI 26 following asession failure. Asynchronous events are lost with no harm done. Eventsthat originated from the failed session node, including user events,cannot be recovered by the resubmission mechanism described above.

Session failure results in the loss of resources associated with theevents in the session queue, including DM access rights. These resourcesare not recovered simply by resubmitting the events. As a result, DMAPIfunctions may fail after session recovery due to invalid DM accessrights. Furthermore, DMAPI 26 cannot determine after recovery whichevents were already being handled by the DM application prior to thefailure, nor can it guarantee that none of the files in question wereaccessed or modified before the failure. All events resubmitted after afailure revert to the initial (non-outstanding) state. Similarly, whenonly a file system instance fails at the session node, all DM accessrights for files in the file system are lost, although the events andtokens remain. After the file system instance is remounted, the DMapplication must reacquire the access rights. There is no guarantee thatobjects have not been modified while the access rights were not held.Therefore, DM application 32 should be written so as to recoverconsistently from the loss of DM access rights, notwithstanding theassociated loss of information. For example, the DM application could beprogrammed to keep its own state of events in progress or to implementan appropriate consistency protocol, as is known in the art.

It is desirable to provide mechanisms that will speed up recovery from asession failure and will prevent indefinite blocking of userapplications. Preferably, if a failed session does not recover after apredetermined lapse of time, pending events are aborted at source node42, and file operations associated with the events are failed. Userapplications 30 can then retry the failed operations as appropriate.

It may also occur that SM 34 fails, in which case a new SM is appointed.The new SM must recover all of the information that was maintained bythe previous SM. For this purpose, the new SM preferably broadcasts arequest to all nodes for session information. Each node responds bysending the SM a list of all the sessions existing on that node and theevent dispositions for all the file systems that are mounted at thenode. The new SM uses this information to rebuild the collective sessionand disposition information.

The only information that may not be fully recovered in this manner isconcerning sessions that existed on the failed SM node. As indicatedabove, each node preferably keeps partial information on every session.Most of the missing information can therefore be retrieved locally atthe new SM node, from the list of all sessions that was maintained atthat node. The only unrecoverable information regarding sessions thatexisted on the failed SM node is the session information string. Asnoted above, typically only a prefix of this string is maintained onnodes other than the session node itself.

The new SM reconstructs event dispositions based on information that itreceives from the file system managers (FSMs) 36 in cluster 20. If a FSMhas failed, the corresponding information is recovered from one of theother nodes that mounted the file system in question. If all of thenodes that mounted the file system have failed, however, thedispositions are lost, and new dispositions for the file system willhave to be set when the file system is mounted on some node.

After reconstructing the dispositions, the new SM must make sure thatthe information it now has is consistent with all of the nodes. For thispurpose, the SM sends its reconstructed dispositions to the FSMs, whichin turn send it to all the nodes that have mounted corresponding filesystem instances. If some file system has no FSM (typically due to FSMfailure), the dispositions are held at the SM and are sent to the newFSM when one is appointed.

Although preferred embodiments are described hereinabove with referenceto a particular configuration of cluster 20 and parallel file system 28,it will be appreciated that the principles embodied in DMAPI 26 aresimilarly applicable in other parallel file system environments, aswell. It will thus be understood that the preferred embodimentsdescribed above are cited by way of example, and that the presentinvention is not limited to what has been particularly shown anddescribed hereinabove. Rather, the scope of the present inventionincludes both combinations and subcombinations of the various featuresdescribed hereinabove, as well as variations and modifications thereofwhich would occur to persons skilled in the art upon reading theforegoing description and which are not disclosed in the prior art.

1. In a cluster of computing nodes having shared access to one or morevolumes of data storage using a parallel file system, a method formanaging the data storage, comprising: creating a session of a datamanagement (DM) application on a session node selected from among thenodes in the cluster by invoking a function of a data managementapplication programming interface (DMAPI) of the parallel file system;receiving a request submitted to the parallel file system by a userapplication on a source node in the cluster to perform an operation on afile in one of the volumes of data storage; sending a notification of aDM event from the source node to the session node responsive to therequest; obtaining a data management access right from the DMAPI byprocessing the event at the session node; and performing the operationon the file from the source node using the access right.
 2. A methodaccording to claim 1, wherein creating the session of the datamanagement application comprises initiating a data migrationapplication, so as to free storage space on at least one of the volumesof data storage, and wherein receiving the request comprises generatingan event responsive to the request, and wherein obtaining the datamanagement access right comprises associating a DM token with the rightat the session node for use invoking a DMAPI function to be applied tothe file and associating the token with the event, and whereinperforming the operation comprises migrating data at a plurality of thenodes simultaneously by presenting the token in connection with theDMAPI function.
 3. A method according to claim 1, wherein obtaining thedata management access right comprises acquiring a data management lockon the file, so as to restrict other data management and file operationson the file while the lock is held.
 4. A method according to claim 3,wherein the operation is a data management operation, and whereinacquiring the data management lock comprises holding the lock over asequence of multiple kernel calls in the parallel file system.
 5. Amethod according to claim 3, wherein the operation is a file operation,and wherein acquiring the data management lock comprises holding thelock for a single kernel call in the parallel file system.
 6. A methodaccording to claim 5, wherein the file operation is one of a pluralityof file operations to be performed on the file, and wherein acquiringthe data management lock comprises allowing the plurality of fileoperations to hold respective data management locks simultaneouslywithout mutual conflict.
 7. A method according to claim 3, whereinacquiring the data management lock comprises acquiring an exclusivelock.
 8. A method according to claim 3, wherein acquiring the datamanagement lock comprises acquiring a shared lock.
 9. A method accordingto claim 3, wherein acquiring the data management lock comprisesselecting the lock from a table of locks provided for both fileoperations and data management operations.
 10. A method according toclaim 9, wherein performing the operation comprises calling a DMAPIfunction to perform a data management operation, and wherein acquiringthe data management lock comprises acquiring, in a course of executingthe DMAPI function, one of the locks provided for the file operationsfor the duration of the DMAPI function, so as to enable calling theDMAPI function without presenting a DM token.
 11. A method according toclaim 3, wherein acquiring the data management lock comprises providingthe data management lock within a hierarchy of locks supported by theparallel file system.